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Computer  forensics  has  become  its  own  area  of  scientific  expertise,  with  accompanying  coursework  and  certification. 
For  someone  who  would  like  to  get  started  practicing  computer  forensics  it  might  be  a  little  overwhelming.  There  are 
many  different  tools,  and  techniques.  Each  tool  will  provide  different  capabilities  and  will  affect  the  suspect  system 
differently.  Some  tools  can  be  very  expensive,  but  there  are  many  tools  available  which  are  free  and  fairly  complete. 
The  Helix  tool  is  very  robust  and  free  of  charge.  Helix  can  be  run  as  an  operating  system,  it  can  be  run  from 
command  line  and  it  also  has  a  windows  GUI.  Helix  allows  for  the  analysis  of  a  live  system.  Many  corporate  systems 
use  Windows  and  the  Windows  GUI  is  a  perfect  way  to  get  started  in  practicing  forensics.  In  this  document  you  will 
find  simple  laboratories  to  follow  so  that  you  may  familiarize  yourself  with  the  Helix  tool  using  the  Windows  GUI 
and  get  started  in  the  practice  of  computer  forensics 

These  laboratories  were  run  on  an  XP-virtual  machine.  Helix  is  available  as  a  free  downloadable  ISO  image  from 
http://www.e-fense.com/helix/. 
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Introduction 


Computer  forensics,  also  called  cyberforensics,  is  the  application  of  computer 
investigation  and  analysis  techniques  to  gather  evidence  suitable  for  presentation  in  a 
court  of  law.  The  goal  of  computer  forensics  is  to  perform  a  structured  investigation 
while  maintaining  a  documented  chain  of  evidence  to  find  out  exactly  what  happened  on 
a  computer  and  who  was  responsible  for  it. 

Forensic  investigators  typically  follow  a  standard  set  of  procedures:  After  physically 
isolating  the  computer  in  question  to  make  sure  it  cannot  be  accidentally  contaminated, 
investigators  make  a  digital  copy  of  the  hard  drive.  Once  the  original  hard  drive  has 
been  copied,  it  is  locked  in  a  safe  or  other  secure  storage  facility  to  maintain  its  pristine 
condition.  All  investigation  is  done  on  the  digital  copy.  However  there  are  some  systems 
that  cannot  be  taken  offline  and  the  investigation  of  a  live  running  system  may  be 
required. 

Investigators  use  a  variety  of  techniques  and  proprietary  forensic  applications  to 
examine  the  hard  drive  copy,  searching  hidden  folders  and  unallocated  disk  space  for 
copies  of  deleted,  encrypted,  or  damaged  files.  Any  evidence  found  on  the  digital  copy 
is  carefully  documented  in  a  "finding  report"  and  verified  with  the  original  in  preparation 
for  legal  proceedings  that  involve  discovery,  depositions,  or  actual  litigation. 

Computer  forensics  has  become  its  own  area  of  scientific  expertise,  with  accompanying 
coursework  and  certification. 

For  someone  who  would  like  to  get  started  practicing  computer  forensics  it  might  be  a 
little  overwhelming.  There  are  many  different  tools,  and  techniques.  Each  tool  will 
provide  different  capabilities  and  will  affect  the  suspect  system  differently.  Some  tools 
can  be  very  expensive,  but  there  are  many  tools  available  which  are  free  and  fairly 
complete.  The  Helix  tool  is  very  robust  and  free  of  charge.  Helix  can  be  run  as  an 
operating  system,  it  can  be  run  from  command  line  and  it  also  has  a  windows  GUI.  Helix 
allows  for  the  analysis  of  a  live  system.  Many  corporate  systems  use  Windows  and  the 
Windows  GUI  is  a  perfect  way  to  get  started  in  practicing  forensics.  In  this  document 
you  will  find  simple  laboratories  to  follow  so  that  you  may  familiarize  yourself  with  the 
Helix  tool  using  the  Windows  GUI  and  get  started  in  the  practice  of  computer  forensics 

These  laboratories  were  run  on  an  XP-virtual  machine.  Helix  is  available  as  a  free 
downloadable  ISO  image  from  http://www.e-fense.com/helix/. 

While  it  is  possible  to  download  the  image  file  with  your  browser,  it  is  recommended  that 
you  use  a  download  accelerate  such  as  Download  Express 
(http://www.metaproducts.com/DE.htmn.Download  Accelerator  Plus 
(http://www.speedbit.com/),  or  Get  Right  (http://www.qetriqht.com/)  to  ensure  that  the 
large  file,  which  is  about  700MBs,  downloads  properly.  These  utilities  can  resume 
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downloads  that  are  interrupted,  and  can  segment  large  files  and  simultaneously 
download  the  different  segments  for  faster  transfers. 
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Helix  User  Manual 


I.  Familiarizing  ourselves  with  the  Windows  Side 

Note:  When  performing  a  live  preview  of  a  system,  many  of  the  actions  taken  can  and 
will  modify  information  on  the  suspect  machine.  This  method  should  only  be  used  when 
the  system  cannot  be  taken  offline. 

1 .  Insert  the  Helix  CD  in  the  computers  CD  drive.  If  the  CD  auto-run  features  is 
enabled  (which  is  the  Windows  default),  a  Helix  warning  window  should  appear. 
If  auto-run  is  disabled,  you  can  run  Helix  by  double  clicking  on  the  helix.exe  file 
on  the  CD. 


@  HELIX  v2.G  (09/15/2008] 


l  •  :  I 


English 


Accept 


You  are  running  this  application  in  a  LIVE  Windows 
environment.  There  is  ABSOLUTELY  NO  WAY  to  protect 
this  live  environment  from  changing. 


This  application  WILL  make  changes  to  the  running 
system.  This  is  an  accepted  risk  you  must  be  willing  to 
take. 


If  you  are  not  willing  to  accept  this  risk  or  do  not 
understand  what  you  are  doing  then  exit  now,  otherwise 
agree  and  proceed  at  your  own  risk.... 


Brought  to  you  by 


Choose  Your  Language 


http://www.e-fense.com 

helix@e-fense.com 


r 

Exit 

1 

L 

J 

5 


2.  Select  the  language  you  prefer  and  click  on  the  Accept  button.  Then  the  main 
window  will  be  opened. 


3.  This  Main  screen  doesn’t  behave  as  a  standard  window.  It  doesn’t  show  up  in  the 
taskbar,  and  you  cannot  switch  to  it  via  the<ALT><TAB>  key  sequence.  Helix 
does  place  an  icon  in  the  system  tray  which  can  be  used  to  access  the  program. 
To  bring  the  Helix  main  screen  to  the  front,  you  can  double-click  on  the  icon,  or 
right-click,  and  select  Restore.  Other  options  on  the  right-click  menu  include 
Minimize  and  Exit. 


Restore 

Minimis 


4.  Main  Options: 


6 


a 


a.  ww  Preview  System  Information 

This  choice  will  provide  you  with  the  basic  information  of  the  system.  It 
includes  Operating  system  version,  network  information,  owner  information, 
and  a  summary  of  the  drives  on  the  system.  In  addition,  there  is  a  second 
page  that  will  show  a  list  of  running  processes. 


b. 


c. 


e. 


f. 


■a 


^Acquire  a  “live”  image  of  a  Windows  System  using  dd 

This  option  will  allow  the  investigator  to  make  copies  of  hard  drives,  floppy 
disks,  or  memory,  and  store  them  on  local  removable  media,  or  over  a 
network. 


Incident  Response  tools  for  Windows  Systems 

This  option  provides  access  to  20  tools,  all  of  which  can  be  run  directly  from 
the  CDROM.  Once  you  click  the  icon,  a  small  triangle  will  appear,  next  to  the 
icon.  Clicking  on  this  small  triangle  will  provide  access  to  the  others  pages  of 
tools. 


d. 


Documents  pertaining  to  Incident  Response,  Computer  Forensics, 
Computer  Security  &  Computer  Crime 

The  option  provides  the  user  with  access  to  some  common  reference 
documents  in  PDF  format.  The  documents  include  a  chain  of  custody  form, 
preservation  of  digital  evidence  information,  Linux  forensics  Guide  for 
beginners,  and  forensic  examination  for  digital  evidence  guide.  These 
documents  are  highly  recommended,  and  the  investigator  should  review 
them  before  attempting  any  forensic  examination. 


Browse  contents  of  the  CD-ROM  and  Host  OS 

This  is  a  simple  file  browser  that  will  provide  the  investigator  with  information 
about  the  selected  file.  It  will  display  the  filename,  created,  accessed  and 
modified  dates,  Attributes,  CRC,  MD5  and  the  file  size.  Due  to  the  nature  of 
the  windows  operating  system,  the  first  time  you  select  a  file;  it  will  display 
the  access  date  of  the  last  access.  If  you  select  the  same  file  again,  it  will 
display  the  date  and  time  of  the  previous  access.  This  is  a  feature  of  the 
windows  operating  system,  and  cannot  be  prevented.  This  is  one  of  the 
problems  with  examining  a  live  system  -  the  investigator’s  actions  may 
modify  the  system. 


Scan  for  Pictures  from  a  live  system 
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This  tool  will  allow  the  investigator  to  quickly  scan  the  system  to  see  if  there 
are  any  suspect  graphic  images  on  the  suspect  system.  Many  different 
graphic  formats  are  recognized,  and  displayed  as  thumbnails. 


5.  Menu  Bar 

©  HELIX  v2.Q  (09/15/2008}  l 1=1  I  ’»• 

|  File  Quick  Launch  Page  Help 

In  addition  to  the  icons,  all  the  features  are  directly  accessible  via  the  Helix  menu 
bar. 

File  -  Allows  the  user  to  exit  the  Helix  application 

Quick  Launch  -  Allows  the  user  to  launch  a  command  tool  or  the  FTK  Imager 
software 

Page  -  Allows  the  user  to  jump  directly  to  any  of  the  utility  screens 
Help  -  Displays  information  about  the  program,  and  the  license  agreement 
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Laboratory  1  -  Preview  System  Information 


1 .  Select  the  Preview  System  Information  option  from  the  menu. 


This  screen  displays  some  general  information  about  the  system  being 
investigated.  Some  points  of  interest: 

•“Admin:”  tells  us  if  the  current  user  is  the  administrator  (good  security  practice  to 
change  the  name  of  the  administrator  account) 

•“Admin  Rights”  tell  us  of  the  current  user  has  administrator  privileges. 

•“NIC:”  is  the  MAC  access  of  the  network  card.  If  this  value  is  “000000000000”  it 
indicates  that  the  network  card  is  in  promiscuous  mode,  and  could  be  capturing 
all  the  network  traffic  on  the  system. 

•“IP:”  is  the  current  IP  address  -  this  could  change  if  the  system  is  set  up  for 
DHCP. 

•Drives  name  listed  with  no  additional  information  typically  indicate  removable 
drives  with  no  media  inserted. 
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2.  Click  on  the  small  triangle  next  to  the  Preview  Icon.  This  will  display  the 
second  page  of  information,  which  lists  the  running  processes.  Clicking  the 
triangle  will  flip  the  between  the  two  pages  of  information. 


-  I»33-.| 


©  HELIX  v2.G  (09/15/2008] 


File  Quick  Launch  Page  Help 


Runninc 


C :  \Wi  n  d  o  ws  \M  i  cro  s  oft.  N  ETAF  ra  m  e  wo  rk6  4  W3 . 0  \WP  F  \P  re  s  e  ntati  o  n  F  o  ntC  a  ch  e .  ex^ 
C:\Pragram  FilesMcrasoft  SQL  Server\90\Shared\sqtwriter.exe 
C:\Windows\System32\svchost.exe 

C:', Program  Files  (x86)\ATI  Technologies\ATLACE\Core-Static\CCC.exe 
C :  -,Wi  n  d  o  ws  \e  h  o  m  e  \ehtray.  exe 
C3Windows\System32\svchost.exe 
C:\Wind  owsVSyste  m32  \S  L  s  vc.  exe 
C :  \Wi  n  d  o  ws  \Sy  ste  m  3  2  \s  vch  o  st.  exe 

C:\Program  FilesMcrosoft  SQLServer\MSAS10.MSSQLSERVER\OlAP\bin\m 
C:V Windows\System32\winlogon.exe 
C :  \Wi  n  d  o  ws  \Sy  ste  m  32  '■hp  s  e  rvi  ce .  exe 

C:', Program  Files  (x86J\Flewlett-Packard\Media\T\AKernet\TV\TVSched.exe 
C:\Program  Files  (x86)\VMware\VMware  Workstation\vmware-authd.exe 
C:\Program  Files  (x86)\AVG\AVG20 12\avgnsa.exe 

C:\Program  Files  (x86)\Flewlett-Packard\HP  Quick  Launch  Buttons\Com4QLBEx 
C :  \  Wi.  n  d  a  ws\Sy  stem.3  2\svchost.exe 

C:1-, Program  FilesMcrosoft  SQLServer\MSSQL10.MSSQLSERVER\MSSQL\Bi 
C3Windows\System32\audiodg.exe 

C:\Program  FilesMcrosoft  SQLServer'.MSSQL10.MSSQLSERVER\MSSQL\Bi 
C3Program  Files  (x86)\BillP  Studios\WinPatrof\WinPatrol.exe 
C:\Program  Files  (x86 )\VM wareWM wa re  Workstation\vmware-tray.exe 
C :  \P  r o  □  r a  m  F  i  I  e  s  fx86  )\H  e wl  ett-  P  a  cka  r d  \S  h  a  re  d  \h  d  o Wm  i  Ex.  exe 


U 


Page  2  of  2 


In  addition  to  displaying  all  the  running  processes  in  memory,  double-clicking  on 
any  process  will  provide  the  user  the  option  to  terminate  the  selected  application. 
Care  should  be  taken,  and  the  investigator  should  be  sure  they  are  terminating 
the  proper  process.  Terminating  the  wrong  process  could  result  in  system 
damage  and  loss  of  forensic  evidence. 

3.  Select  a  process  and  double  click  on  it. 
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File  Quick  Launch  Page  Help 


if  *  f ifCTHCMN:  msutn  cm  #  #  o/cc^sici 


Running  Processes 


System  information 


C:\Windows\Microsoft.NE"TiFramework64,iv3.0\WPF,',PresentationFontCache.ex(  ■ 
C:\Program  Files', Microsoft  SQL  Server\90\Shared', sqlwriter.exe 
C:\Windows'tSystem32'tsvchost.exe 


C:\Progra  r 
"  C:\Wi  ndo\ 
C:\Windoy 
C:\Windoy 
C:\Windov 
C:\Progra 
C:\Windov 
C:\Windov 
[•WdiVMJj 

C:\Pragra 


Are  you  sure? 


UJ 


•'jc\CCC.exe 


ERVER\OLAP’ibin\m 


TVSched.exe 


-authd.exe 


C:\Pragram  Fifes  (x86)\AVG \AVG2012\avgnsa.exe 

C:\Program  Files  (x86 )\H ewf ett-P a cka rd\H P  Quick  Launch  Buttons\Com4QLBEx 
C \\Wi  n  d  ows\System32\svchosl.exe 

C:’1, Program  Files\Microsoft  SQLServer\MSSQL10.MSSQLSERVER\MSSQL\Bi 
C :  Wi  n  d  o  ws  \S  y  ste  m  32  ',a  u  d  i  a  d  g .  exe 

C:\Program  FilesMcrosoft  SQL  Server\MSSQL10.MSSQLSERVER\MSSQL.\Bi 
C:\Program  Files  (x86)\BHIP  Studios\WinPatrol\WinPatrol.exe 
C3Program  Files  (xS6)\VMware\VMware  Workstation’, vmware-tray.exe 
C :  \P  r  o  a  r  a  m  F  i  I  e  s  ( x8  6  )\H  e wl  ett-  P  a  cka  r  d  \S  h a  r  e  d  \h  d  a  W miEx.exe 
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NOTE:  Why  don’t  we  just  use  the  built  in  “task  manager”  to  display  this  information?  If 
they  system  has  been  hijacked  by  a  root  kit,  or  some  other  malicious  program,  it  is 
possible  that  the  Windows  Task  Manager  has  been  modified  to  not  display  the 
malicious  code.  Since  Helix  is  running  from  the  CD,  it  cannot  be  modified,  and  should 
be  able  to  display  all  the  programs  currently  running  on  the  system. 

Now  you  have  some  knowledge  about  the  system  that  you’re  analyzing  and  the 
processes  that  are  being  run  on  it.  And  if  there  are  hidden  processes  that  are  running 
which  the  owner  of  the  system  was  unaware  of  you  have  been  able  to  identify  those  as 
well. 
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Laboratory  2  -  Acquire  a  “live”  image  of  a  Windows  System  using  dd 

Select  the  acquisition  option  in  the  menu.  There  are  two  tools  provided  to  acquire 
images  of  physical  memory  or  disk  drives.  On  the  first  page,  there  is  a  graphical  front- 
end  to  the  command  line  version  of  dd,  a  common  disk  duplication  utility.  The  dd  utility 
can  capture  physical  memory  and  drives.  Also,  dd  can  image  over  a  network. 


Part  A  -  Using  dd 

The  source  field  includes  a  drop-down  box  for  the  investigator  to  select  any  drive  in  the 
system.  The  destination  can  be  a  local  removable  drive,  network  drive  or  a  net-cat 
listener.  The  image  name  is  the  user  chosen  name,  and  the  standard  extension  is  “.dd”. 

The  Options  include: 

•  Attached/Shared:  check  this  option  to  save  the  image  to  a  local  drive,  or  a  network 
share. 

•  Net-Cat:  check  this  option  to  transfer  the  image  to  a  net-cat  server  located  on  the 
network.  With  this  option  you  will  need  to  specify  the  IP  address  and  port  number  of 
the  net-cat  server. 
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•  Split  Image:  Allows  you  to  split  the  image  into  multiple  files  if  the  image  will  exceed 
the  capacity  of  the  storage  medium.  For  example,  if  you  are  imaging  a  10  gig  hard 
drive,  you  can  split  the  image  so  that  it  will  fit  on  a  CDROM,  DVD,  or  FAT  32  file 
system,  which  has  a4  gig  file  size  limitation. 

Select  the  desired  source  and  destination  files.  Once  you  enter  all  the  parameters,  and 
press  the  “Acquire”  button,  a  forensic  command  shell  window  will  open  up.  This 
command  shell  uses  trusted  binaries  to  prevent  root  kits  from  tampering  with  the  image 
being  created.  You  can  now  paste  the  dd  command  line  into  the  shell  by  right  clicking 
and  selecting  “paste”  from  the  context  menu.  Press  enter  to  execute  the  command. 

Once  the  command  is  finished,  there  will  be  3  files  in  the  destination  directory: 

•  Filename. dd  -  the  image  of  the  source  disk 

•  filename.dd.md5  -  a  file  containing  the  MD5  of  the  image  file. 

•  Audit.log  -  a  file  containing  the  command  and  the  output  of  the  program. 

You  should  examine  the  Audit.log  file.  If  all  went  well  you  should  see  that  all  the  MD5 
Hashes  match  and  you  will  see  the  message  “The  checksums  do  match”.  If  they  match, 
that  means  you  have  an  accurate  copy  of  the  evidence.  Here  is  an  example  of  the  file. 


£■  inu0p-dd_iiHfrr  Mjwp.jd 


Ffc  E  <*  Ferns:  He#  Mp 


D1S 


rnrcns.Hc  icgufjfrfnn  utilities-.  1.  0.  0.  103} 
dd.  3.  ±6.  3.  i 03* 

Cnpyright  (O  2002-2001  Senrge  N»  Samer  3r. 

Cnwiand  Line;  dd.cxc  1f-\\.\PlryElcBlNninry  nf-'t ;\Dnaiicnt5  and  5rtttnnr\iSih1n1rtrirtnr\[icrh:np\lrini]c\1rinDE.dd" 

Lui'ivriuui'  r  UI  —tidiiiMi  —  vA(  1  fyiidi  — idd^But "C  ! \DBCuiaflt  i  Jud  5Bt  r  1  nui rtl  i  t  t  Jt  m \DBS  t  t  Jtya\1ii Jpu.  dd.ildV 

— lng-"C;\DnaiiErTt5:  and  5 ett 1  n g s’\Ach 1  n  1  s-t r  at  □  r \D e :  fct  n p\]n a g e \1 mage  dd_aud1t  lug  ' 

Bared  an  arlglnal  varrlan  developed  try  Paul  Rubin,  David  NacKenzIe,  and  Stuart  Kaip 
Hi  cr  as  ui*r  windows:  mrslan  S.i  Caulld  ifitiu. prof assl  anal  sum.-Icu  pack  S3 

26/04/2012  00:37:37  Cure} 

Current  User;  VICT IN ^ - OlYAifri Inlrtratnr 

Total  physical  nnory  reported;  “!<Z37dD  KB 
capyl iid  physical  naum  . 

D;\]p\F4u\dd  cue; 

srappad  raadlng  physical  nanory: 

Tha  paranarar  Is  Incar  pact. 

'VnB+sdrgZBnendnBrijfrffE+lefBBjTbBb  [\\\v\\PfW3lcBlNHinry]  ''C:\VpntLiierTtE  and  5ett1ngr\\4ih1n1rtrBtDr\^Erktop\VDiBDE\\1nBDE.dd 

L'FrH  hyl  nn  output  file 

'■6B4 3dc^|BfiafidaBcgrdTM  lafDD57bBb  [■=: \\nn club nus  and  5aur1ng£Wuli1n1=EraEori\\pD5tEop\\piagd\\1nagn.dd]  : Woocifiarrcs  and  s art  1  n g 1  n  1  Et r ar □  r\\o a 


output  c:\DDCLfianLS  and  sarc1ngs\Aih1nlEcra'cor\oBsLTop\inagtf\.1nagB.dd  536066ui6/!-36066BIb  bytas  Ccmprassad/uncoiprassadJ 
131071+0  records  In 
i3i07i+0  records  out 


And  that’s  it.  You  now  have  an  accurate  copy  of  the  suspect’s  chosen  drive.  Print  out 
the  Audit.log  file,  put  it  in  the  evidence  envelope  along  with  the  original  floppy,  update 
the  chain-of-custody  form,  and  return  the  evidence  to  the  evidence  locker. 

Part  B  -  Using  FTK  Imager 

“FTK  Imager  is  a  data  preview  and  imaging  tool  that  lets  you  quickly  assess  electronic 
evidence  to  determine  if  further  analysis  with  Access  Data®  Forensic  Toolkit®  (FTK™) 
is  warranted.  FTK  Imager  can  also  create  perfect  copies  (forensic  images)  of  computer 
data  without  making  changes  to  the  original  evidence.”  (Access  Data,  2005)According 
to  the  FTK  Image  Help  File  (Access  Data,  2005),  you  can: 
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•  Preview  files  and  folders  on  local  hard  drives,  floppy  diskettes,  Zip  disks,  CDs, 
and  DVDs. 

•  Create  forensic  images  of  local  hard  drives,  floppy  diskettes,  Zip  disks,  CDs,  and 
DVDs. 

•  Preview  the  contents  of  forensic  images  stored  on  the  local  machine  or  on  a 
network  drive. 

•  Export  files  and  folders. 

•  Generate  hash  reports  for  regular  files  and  disk  images  (including  files  inside  disk 
images).To  access  the  FTK  Imager,  select  the  second  page  of  the  Image 
Acquisition  page.  This  page  will  display  the  release  notes  for  the  current  version 
of  the  tool.  Click  on  the  “Imager”  to  launch  the  actual  application. 

To  access  the  FTK  Imager,  select  the  second  page  of  the  Image  Acquisition  page.  This 
page  will  display  the  release  notes  for  the  current  version  of  the  tool.  Click  on  the 
“Imager”  to  launch  the  actual  application. 
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Note:  FTK  Imager  can  now  also  be  launched  via  the  Quick  Launch  menu  on  the  main 
screen. 

The  FTK  imager  is  a  powerful  and  flexible  tool.  It  can  be  used  to  examine  media  and 
images,  and  extracted  deleted  files.  It  has  extensive  information  available  via  the  Help 
menu  or  the  question  mark  icon  on  the  toolbar. 

Once  you  have  an  image  of  a  disk  it  might  be  a  good  idea  to  have  additional  copies,  just 
in  case.  Let’s  use  the  FTK  Imager  to  create  the  image  and  the  necessary  copies.  For 
this  test  let’s  say  that  we  have  received  a  flash  drive  belonging  to  a  suspect.  It  could  be 
a  different  source,  like  a  floppy  disk  for  example. 

First  From  the  menu,  select  File  /  Create  Disk  Image.  Select  Logical  Drive,  and  click 
Next. 
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Select  F:\  from  the  drop  down  menu,  and  click  Finish. 


Select  Drive 


Source  Drive  Selection 


Please  select  from  the  following  available  drives: 

F:\  -  [FAT] 


IH  Automate  multiple  removable  media 


=;  Back 


Finish 


Cancel 


Help 


Now  you  are  to  select  the  destination  drive.  Click  “Add...”.  You  can  choose  from  three 
Image  Types.  Raw  (dd)  is  the  same  format  as  created  by  dd  command,  and  is  the  most 
universal  format.  Smart  is  for  the  SMART  forensic  tool  from  ASR  Data,  and  E01  is  the 
format  used  by  EnCase.  Be  sure  that  the  “Raw  (dd)”  option  is  selected  and  click  Next. 
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Select  the  folder  you  wish  to  create  the  image  in.  Include  the  image  file  name,  but  not 
the  extension,  it  will  be  added  automatically.  The  image  fragment  size  is  used  to  split 
large  images  into  chunks  that  can  fit  into  removable  media.  In  this  case  we  will  be 
saving  into  a  local  folder  that  we  will  create  in  the  C:\  drive.  (C:\Forensics\lmages).  Click 
Finish. 


You  are  returned  back  to  this  screen.  Click  Start. 
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The  time  it  takes  to  perform  the  image  will  vary  on  the  size  of  the  image  we  are  creating. 


Once  it  is  finished,  it  will  display  the  Image.  Verify  Results,  and  if  all  went  well,  you 
should  see  that  both  the  MD5  and  SHA1  hashes  displayed  match.  If  they  match,  that 
means  you  have  an  accurate  copy  of  the  evidence  .If  they  don’t  match,  that  typically 
means  you  have  a  bad  disk,  and  the  drive  had  a  problem  reading  the  source.  Click 
Close  You  can  click  Close  again  on  the  Creating  Image  screen. 
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Drive/Image  Verify  Results 


E 

Name 

FTKIm  a  g  erT  estl  .001 

| 

Sector  count 

511968 

: 

E 

Computed  hash 

584698  b  b3  a713  b00197410  bf2  c  c9  e503 

Report  Hash 

584698  b  b3  a713  b00197410  bf 2  c  c9  e503 

Verify  result 

Match 

!e|  5HA1  Hash 

■¥“ 

Close 


You  should  have  two  files  in  your  destination  folder: 


FTKImagerTestl  .001  -  this  is  the  image  of  the  source  disk. 

FTKImagerTestl  .001  .txt  -  this  is  a  copy  of  the  Imager  Verify  Results  screen. 

r - - - 


VJ’I  ‘ 


C:\ForensEcsMmaqes 


Favorite  Links 
Mere  » 


Name 

r .  FTKImagerTestl .001 
[  1  FT  Kim  a  gerTestl.O01.txt 


Date  modified 
4/25/2012  10:46  AM 
4/25/2012  10:46  AM 


m 


Search 


Type  Size 

001  File  255,984  KB 

Text  Document  2  KB 


I  g  .  (Hi  1-^4' 

fi] 


Felders 


A 


Congratulations!  You  now  have  an  accurate  copy  of  the  suspect’s  disk.  Print  out  the 
FTKImagerTestl  .001  .txt  file,  put  it  in  the  evidence  envelope  along  with  the  original  disk 
(in  our  case  flash  drive),  update  the  chain-of-custody  form,  and  return  the  evidence  to 
the  evidence  locker.  In  order  to  create  a  copy  you  will  repeat  the  previous  steps  but  you 
will  then  save  the  image  onto  the  appropriate  removable  media  selected. 
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Laboratory  3  -  Incident  Response  tools  for  Windows  Systems 


This  panel  provides  the  investigator  with  a  number  of  tools  to  respond  to  incidents. 
There  are  three  pages  to  this  panel;  the  other  pages  can  be  accessed  by  clicking  on  the 
small  triangles  next  to  the  Incident  Response  icon  in  the  left  tool  bar.  We  will  only  go 
through  some  of  the  options  available. 
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The  tools  include: 
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•  Windows  Forensics  Toolchest  (WFT) 

•  Incident  Response  Collection  Report  (IRCR2) 

•  First  Responder’s  Evidence  Disk  (FRED) 

•  First  Responder  Utility  (FRU) 

•  Security  Reports  (SecReport) 

•  Md5  Generator 

•  Command  Shell  -  a  forensically  sound  command  shell 

•  File  Recovery  -  recover  deleted  files 

•  Rootkit  Revealer  -  detect  the  presence  of  rootkits  on  the  system 

•  VNC  Server 

•  Putty  SSFI 

•  Screen  Capture 

•  Messenger  Password 

•  Mail  Password  Viewer 

•  Protected  Storage  Viewer 

•  Network  Password  Viewer 

•  Registry  Viewer 

•  Asterisk  Logger 

•  IE  History  Viewer 

•  IE  Cookie  Viewer 

•  Mozilla  Cookie  Viewer 

Part  A  -  MD5  Generator 

On  the  top  part  of  the  second  page  of  the  incident  response  option  you  will  find  the 

option  of  generating  the  MD5  signature  for  any  file  in  your 

system. 
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First  click  on  the  button,  this  will  bring  up  the  file  manager  so  that  you  may  select  a 
file  from  your  system.  Select  any  file  you  like. 


Once  the  desired  file  is  in  the  file  text  box  you  may  press  the  “hash”  button.  Helix  will 
proceed  with  the  MD5  signature  generation.  And  you  now  have  the  MD5  signature  for 
the  file  you  selected. 

Part  B  -  Rootkit  Revealer 

Rootkit  Revealer  is  a  freeware  tool  from  Syslntemals.  It  successfully  detects  all  rootkits 
published  at  www.rootkit.com. 

A  rootkit  is  a  collection  of  tools  (programs)  that  enable  administrator-level  access  to  a 
computer  or  computer  network.  Typically,  a  cracker  installs  a  rootkit  on  a  computer  after 
first  obtaining  user-level  access,  either  by  exploiting  a  known  vulnerability  or  cracking  a 
password.  Once  the  rootkit  is  installed,  it  allows  the  attacker  to  mask  intrusion  and  gain 
root  or  privileged  access  to  the  computer  and,  possibly,  other  machines  on  the  network. 

A  rootkit  may  consist  of  spyware  and  other  programs  that:  monitor  traffic  and 
keystrokes;  create  a  "backdoor"  into  the  system  for  the  hacker's  use;  alter  log  files; 
attack  other  machines  on  the  network;  and  alter  existing  system  tools  to  escape 
detection. 

The  presence  of  a  rootkit  on  a  network  was  first  documented  in  the  early  1990s.  At  that 
time,  Sun  and  Linux  operating  systems  were  the  primary  targets  for  a  hacker  looking  to 
install  a  rootkit.  Today,  rootkits  are  available  for  a  number  of  operating  systems, 
including  Windows,  and  are  increasingly  difficult  to  detect  on  any  network. 


Rootkits  have  become  more  common  and  their  sources  more  surprising.  In  late  October 
of  2005,  security  expert  Mark  Russinovich  of  Sysinternals  discovered  that  he  had  a 
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rootkit  on  his  own  computer  that  had  been  installed  as  part  of  the  digital  rights 
management  (DRM)  component  on  a  Sony  audio  CD.  Experts  worry  that  the  practice 
may  be  more  widespread  than  the  public  suspects  and  that  attackers  could  exploit 
existing  rootkits.  "This  creates  opportunities  for  virus  writers,"  said  Mikko  Hypponen, 
director  of  AV  research  for  Finnish  firm  F-Secure  Corp.  "These  rootkits  can  be  exploited 
by  any  malware,  and  when  it's  used  this  way,  it's  harder  for  firms  like  ours  to  distinguish 
the  malicious  from  the  legitimate." 

A  number  of  vendors,  including  Microsoft,  F-Secure,  and  Sysinternals,  offer  applications 
that  can  detect  the  presence  of  rootkits.  If  a  rootkit  is  detected,  however,  the  only  sure 
way  to  get  rid  of  it  is  to  completely  erase  the  computer's  hard  drive  and  reinstall  the 
operating  system. 

Let’s  run  the  application.  First,  click  on  the  rootkit  revealer  icon. 


% 


Rootkit  Revealer 


When  asked  for  confirmation  click  “Yes”. 


You  may  be  asked  to  accept  the  terms  of  agreement.  If  you  wish  to  proceed,  click  on 
the  “Accept”  button. 
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The  main  scanning  window  will  be  presented.  The  program  will  run  at  the  level  of  the 
currently  logged  in  user.  It  would  be  best  to  run  this  as  a  system  administrator  for  more 
accurate  results. 


In  order  to  interpret  the  output  you  can  find  the  meaning  of  the  description  column  in  the 
sysinternals  web  site.  The  results  of  the  scan  can  be  saved  to  a  file  using  the  File/Save 
option.  This  tool  is  meant  to  find  rootkits,  not  remove  them.  Depending  on  the  nature  of 
the  investigation  the  detection  of  the  rootkit  needs  to  be  documented  and  the  system 
preserved  for  future  investigation. 
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Part  C  -  Internet  Explorer  History  Viewer 

Each  time  you  type  a  URL  in  the  address  bar  or  click  on  a  link  in  the  Internet  Explorer 
browser,  the  URL  address  is  automatically  added  to  the  history  index  file.  This  utility 
reads  all  the  information  from  the  history  file  on  your  computer,  and  displays  the  list  of 
all  the  URLs  that  you  have  visited  in  the  last  few  days.  It  also  allows  you  to  select  one  or 
more  URL  addresses,  and  then  remove  them  from  the  history  file  or  save  them  into  a 
text,  HTML,  or  XML  file.  In  addition,  you  are  allowed  to  view  the  visited  URL  list  of  other 
user  profiles  on  your  computer,  and  even  access  the  visited  URL  list  on  a  remote 
computer,  so  long  as  you  have  permission  to  access  the  history  folder. 


.  i  .,  —  !E  History  Viewer  .. 

1.  Click  on  the  J  option. 

2.  You  will  be  presented  with  a  confirmation  message,  click  “Yes”  to  proceed. 


Notice 


You  are  about  to  run: 

:  The  Helix  IE  History  viewer  program  from  Nirsoft 
IS  THIS  OK? 


Yes- 


No 


3.  You  will  then  be  presented  with  the  URL  history 


|  It  H  i  sto  ryVi ew:  C:\Users\m  icby_03\A  p  pData\Locaf\M icrosoft\Wmd ows\H  istory 


File  Edit  View  Help 


& j  ea  0  x  U  ID  if  04  -fl 


URL 

□ 


frEe:///C:/U5ers:/michy_0fi/Documents/MaestFta/Proyecto/H... 


O  fil  e:///C  :/Users/m  i  c  hy_08/D  o  c  u  m  ents/M  a  estri  a/P  royecto/H . , . 
[Q  f  il  e:///C  :/U  sers/m  i  c  hy_Q8/D  ocum  ents/M  a  estri  a/P  royecto/2 . . . 
FI  http  ://www.  eversave.  com/co  m  m  on/dyn  a  m  i  cf I  ows/Dyn  ami... 
O  http://www.facebook.com/ 
n  http  ://www.  p  c  h .  c  o  m/p  c  h  rec  o  g  n  ized 
[  I  https://mail.gG  ogle,com/mail/?shva=l 

http  s://www.  bancopopular.com/ci  bp- web/a cti  o  n  s/m  a  keP  a . . . 
O  http  s://a  c  c  o  u  nts.  g  o  og  I  e.  c  o  m/Servi  c  eLo  g  i  n  ?servi  ce=  m  a  i  I  Sip . . . 
□  http  ;//sp  ectrum.pch.c  om/P  ath/2012  Ap  rTVP  Cl  REG/REM  RE... 


Title 

Hits 

Modified  Date 

Expiration  Date 

110 

5/2/201210:09:35,,. 

5/28/2012  10:09:36... 

109 

5/2/2012  10:07:51  ... 

5/28/2012  10:00:44... 

7 

5/2/2012  9:18:36  AM 

5/28/2012  9:18:38  ... 

::Welcometo  Publishers... 

661 

5/1/2012  10:09:40  ... 

5/27/2012 10:09:42... 

Facebook 

1,537 

5/1/2012  10:09:40  ... 

5/27/2012  10:09:42... 

Sweepstakes,  Online  Sw... 

377 

5/1/2012  10:09:40 

5/27/2012  10:09:42, 

Gmail 

1,375 

5/1/2012  10:09:40  ... 

5/27/2012  10:09:42... 

Mi  Banco  |  Make  Payme... 

102 

5/1/201210:09:40  ... 

5/27/2012 10:09:42... 

Gmail:  Email  from  Google 

190 

5/1/2012  10:09:40  ... 

5/27/201210:09:42... 

Publishers  Clearing  House 

95 

5/1/2012 10:09:40  ... 

5/27/2012 10:09:42... 

923  item[s) 


4.  Notice  the  menu  at  the  top  of  the  URL  history  window.  You  may  access  the 
options  either  from  the  top  bar  containing  drop  down  menus  or  the  picture  menu 
found  just  beneath  it.  When  you  select  one  of  more  of  the  URLs  by  checking  the 
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checkbox  al  the  left  of  each  URL  additional  options  will  he  habilitated.  You  may 
delete  the  URL,  save  it  to  a  file  or  create  a  link  to  the  URL  to  name  a  few  of  the 
options. 


i  <=,  n°n 


I£  H  i  stojyVi ew:  C:\Users\m ichy_03\A p  pData'vLocal \M  icrosortVWi  n  d  o ws\H  istory 


File  Edit  View  Help 


URL 

W 


fiEe:///C:/U5eF5/mBchy_0iS/Dacuments/MaestFEa/'Proyedto/H.„. 


[O  fil  e:///C  :/Users/m  i  c  hy_08/D  o  c  u  m  ents/M  a  estri  a/P  royecto/H . , . 

□  ftl  e:///C  :/U  sers/m  i  c  hy_08/D  o  c  u  m  ents/M  a  estri  a/P  royecto/2 . . , 

□  http  ://www.  eversave.  c  o  m/co  nn  m  on/dyn  a  m  i  cf  I  ows/Dyn  ami,., 
n  http://www.facebook.com/ 

O  http  ://www.  p  c  h .  c  o  m/p  c  h  rec  o  g  n  ized 
O  https:// m  a  i  I .  g  o  o  g  I  e,  com/m  a  i  l/?shva  =1 

□  http  s://www.  bancopopular.co  m/c  i  b  p- web/a  cti  o  n  s/m  a  keP  a , . , 
n  http  s://a  c  c  o  u  nts.  g  o  og  I  e,  c  o  m/Servi  c  eLog  i  n  ?servi  ce=  m  a  i  I  &p , . , 

□  http  ://sp  ectru  m .  p  c  h .  c  om/P  ath/2012  Ap  rTVP  Cl  REG/REM  RE. . . 


Title 

Hits 

Modified  Date 

Expiration  Date 

110 

5/2/2012 10:09:85  „„ 

5/29/201210:09:36... 

109 

5/2/2012  10:07:51  ... 

5/28/2012  10:00:44, 

7 

5/2/2012  9:18:86  AM 

5/28/2012  9:18:88  ... 

"Welcome  to  Publishers.., 

661 

5/1/2012 10:09:40  ... 

5/27/2012  10:09:42... 

Facebook 

1,587 

5/1/201210:09:40  ... 

5/27/2012  10:09:42... 

Sweepstakes,  Online  Sw... 

311 

5/1/2012  10:09:40  ... 

5/27/2012  10:09:42... 

Gmail 

1,875 

5/1/2012  10:09:40  ... 

5/27/2012  10:09:42... 

Mi  Banco  |  Make  Payme... 

102 

5/1/201210:09:40  ... 

5/27/2012 10:09:42... 

Gmail:  Email  from  Google 

190 

5/1/2012  10:09:40 

5/27/2012 10 :09:42„. 

Publishers  Clearing  House 

95 

5/1/2012 10:09:40  ... 

5/27/2012  10:09:42... 

ij 


923  item(s],  1  Selected 


Part  D  -  Internet  Explorer  Cookie  Viewer 

lECookiesView  is  a  small  utility  that  displays  the  details  of  all  cookies  that  Internet 
Explorer  stores  on  your  computer.  In  addition,  it  allows  you  to  do  the  following  actions: 

•  Sort  the  cookies  list  by  any  column  you  want,  by  clicking  the  column  header.  A 
second  click  sorts  the  column  in  descending  order. 

•  Find  a  cookie  in  the  list  by  specifying  the  name  of  the  Web  site. 

•  Select  and  delete  the  unwanted  cookies. 

•  Save  the  cookies  to  a  readable  text  file. 

•  Copy  cookie  information  into  the  clipboard. 

•  Automatically  refresh  the  cookies  list  when  a  Web  site  sends  you  a  cookie. 

•  Display  the  cookies  of  other  users  and  from  other  computers. 


1.  Click  on  the  icon  ' IE  Cookie  Viewer 

2.  You  will  be  presented  with  a  confirmation  message,  click  “Yes”  to  proceed. 
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IS  THIS  OK? 


Yes 


No 


3.  A  window  will  open  with  the  cookies  found  for  Internet  Explorer  in  the  system. 


4.  Many  of  the  options  that  were  available  for  the  Internet  Explorers  URLs  are 
available  for  the  cookies.  Delete,  save,  open,  etc.  Feel  free  to  play  with  them. 

5.  You  also  have  the  Mozilla  Cookie  Viewer;  it  works  similarly  to  IE  cookie  viewer. 
Follow  the  same  steps  with  the  only  difference  that  you  start  by  pressing  this  icon 


Mozilla  Cookie  Viewer 
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Laboratory  4  -  Scan  for  pictures  of  a  live  system. 

This  tool  allows  the  investigator  to  quickly  scan  the  system  to  see  if  there  are  any 
suspicious  graphic  images  on  the  suspect  system.  Many  different  graphic  formats  are 
recognized,  and  displayed  as  thumbnails.  Use  example:  This  allows  a  parole  officer  to 
preview  a  system  for  graphic  images  that  may  violate  a  parole. 


1. 

2. 


Select  the  scan  for  pictures  icon 
You  will  see  the  following  screen 


Scan  for  Pictures  from  a  five  system 


3.  Notice  there  is  a  menu  at  the  bottom  of  the  window  in  light  grey.  Click  on  the 
“Load  Folder”  option  and  select  the  desired  drive  to  scan. 
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4.  Be  aware  that  depending  on  the  size  of  the  drive,  the  amount  of  memory  and  the 
speed  of  the  system,  this  could  take  a  while.  A  reminder  window  will  pop  up; 
press  the  “OK”  button  in  order  for  the  process  to  continue. 


Please  be  patient.. .It  can  take  a  long  time  to  locate  all  the  images. 


OK 


After  you  press  the  “OK”  button  it  may  seem  like  nothing  is  happening,  don’t 
worry.  Let  it  work,  after  a  while  you  should  see  the  following  screen. 


Loading  Images  ,  .  . 

— 


Loading  previews  of  images  . .  . 
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Once  the  scan  is  complete  you  will  be  able  to  view  the  images  recovered 

I - 

®  HEUX2GQ9R1  (01/06/2009] 


I  ^  I  foi  \mrnnT 


File  Quick  Launch  Page  Help 


1-marge-simpson...  1-mcnair-kazemi-..,  l-mike-zimmer-2...  1-oakland-raider:..,  l-oprah-ZOO1  glO 


»  U 

fa  r 

a  ;  « 


1-paranormal-acti...  1 1  -  red  s  a  I  es  i  g  n  [1  ]  j  p  g  l-shania-twam-78...  l-spla:h-image[l...  1- startup -wendy 


1- supreme- court-.,.  1 -switched -fa  ceb...  l-teen-beatmg-2...  1 1  -to  by- keith -78  [1 . . .  1 1-unemplcyment 


Ima-gE  fl  f  57118!  ftW  Alcj.3mir5  Guunin  -  Inrftl^bFa-ES-JIWfi-FrDntjpg  |  Size  1150  x  114-5  I  Color  24b  ft  f  Double  Click  Ima 


Load  Folder 


Clear  All 


Double  clicking  on  any  thumbnail  will  open  the  image  in  the  local  viewer.  Be 
advised  that  this  application  will  chance  the  last  access  time  on  just  about  every 
file  in  the  system,  since  it  examines  the  file  headers  to  determine  if  the  file  is 
graphic. 
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Laboratory  5  -  Exiting  Helix 

There  are  several  ways  to  exit  the  Helix  application. 

1 .  File  /  Exit  from  the  menu  bar  -  This  will  prompt  an  offer  to  save  a  PDF  of  your 
transactions. 

2.  Click  on  the  close  windows  button  -  This  will  also  an  offer  to  save  a  PDF  of 
your  transactions. 

3.  Right  -click  on  the  Helix  icon  in  the  system  tray  -  This  will  NOT  save  your 
transactions. 

The  first  to  exit  options  will  save  a  copy  of  all  your  transactions  if  you  will,  while  the  last 
option  will  not.  If  you  choose  to  save  the  output,  you  will  be  prompted  in  order  to 
determine  where  the  file  will  be  saved.  The  file  should  be  saved  on  a  network  share  or 
on  a  removable  evidence  collection  drive  to  prevent  any  contamination  of  the  suspect 
computer.  The  default  file  name  is  Helix_Audit_Log.pdf 

File  example: 


Incident  Response  ■  Electronic  Discovery  ■  Computer  Forensics 

_ --  -  -  — _  - 

Helix  Version;  2009R1 


Helix  Started  on:  04/30/2012  at  19:53:45 


- SYSTEM  INFORMATION - 

Operating  System: Windows  XP  Service  Pack  2 
Operating  System  Version:  5.1 .2600 
User  Information: 

Owner:  Obed 
Organization: 

Admin:  No 
Admin  Rights:  Yes 
Network  Information: 

Host:  ViCTIMA-01 
User:  Administrator 
IP:  192.168.126.126 
NIC: 000c292cd7ec 
Domain: 

Detected  Drives: 

A:\  (Removable  drive) 

C:\  (Logical  drive) 

D  \  (CD/DVD-ROM  drive) 


19:58:46  -  Helix  displayed  the  Incident  Response  page  1 . 

19:58:49  -  Helix  displayed  the  Incident  Response  page  2. 

19:58:53  -  Trie  RootKit  ReveaEer  was  executed  successfully. 

20:02:44  -  Trie  PC  Inspector  File  Recovery  utility  was  executed  successfully. 
20:04:18  -  Helix  displayed  the  Browse  Contents  page. 

20:04:39  -  Helix  displayed  the  Scan  for  Pictures  page. 

tmtmtimimimimim  investigative  notes 


Helix  Stopped  on:  05/03/2012  at  20:04:46 
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